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CCNA Security Lab 2 - Cisco IOS Login Block - CLI 

Lab 2 

Cisco IOS Login Block 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how 
implement the Cisco IOS Login Block feature. 

Lab Purpose: 

The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance 
the security of a router by configuring options to automatically block further 
login attempts when a possible Denial-of-Service (DoS) attack is detected. 

Lab Difficulty: 

This lab has a difficulty rating of 8/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



Lab 2 Configuration Tasks 
Task 1: 

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the 
network diagram. Configure R2 to send R1 clocking information at a rate of 
512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the 
two routers have IP connectivity. 

Task 2: 

Configure the following interfaces on R2: 

Interface Address/Mask 

LoopbacklO 10.10.10.2/26 
Loopback20 20.20.20.2/28 










Task 3: 


Configure a static default route on R1 via SerialO/O. Ping R1 from the LoopbacklO and Loopback20 
interfaces of R2 and validate IP connectivity. 

Task 4: 

Configure Cisco IOS Login Block on R1 as follows: 

If there are more than 2 failed login attempts within 20 seconds of each other, the router should block 
login access for a period of 40 seconds. 

However, during the blocking time, the router should allow only TELNET connections from the 
Loopback20 subnet on R2 to attempt to log in. 

In addition to this, the router should log every single successful and failed login attempt. 

Task 5: 

Configure a user with the username ccna and password security on Rl. This user should have Level 15 
privileges. In addition, configure Rl to allow Telnet access while authenticating users based on the local 
router database. Finally, configure Rl to log ALL messages to the buffer. 

Task 6: 

Test your login configuration as follows: 

Telnet to Rl from the LoopbacklO interface of R2, purposely using an incorrect password for user ccna. 
For example, use the password securityl instead. Repeat this activity at least two times in 20 seconds. 
If your configuration is correct, the router should activate the quiet period and a subsequent connection 
attempt to Rl should be denied. Validate this. 

Telnet to Rl from the Loopback20 interface of R2 while the router is in the quiet period. Despite this, the 
exception configured in Task 4 should allow user ccna to log in - using the correct password. Verify that 
this is the case. 

Issue the show log on Rl command. You should observe some SYSLOG messages pertaining to all failed 
and successful login attempts on the router. 


Lab 2 Configuration and Verification 
Task 1: 

Router(config)#hostname Rl 

Rl(config)#interface serialO/O 

Rl(config-if)#no shutdown 

Rl(co nfig-if)# ip address 10.1.1.1 255.255.255.0 

Rl(config-if)#end 

Rl# 

Router(config)#hostname R2 

R2(config)#interface serialO/O 

R2(config-if)#no shutdown 

R2(config-if)#clock rate 512000 

R2(co nfig-if)#ip address 10.1.1.2 255.255.255.252 

R2 (co nfig -if)#exit 
R2(config)#exit 



R2# 


R2#ping 10.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: 

! 1111 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms 

Task 2: 

R2(config)#interface loopback 10 

R2(co nfig-if)# ip address 10.10.10.2 255.255.255.192 

R2 (co nfig -if)#exit 

R2(config)# interface loopback 20 

R2(co nfig -if)#ip address 20.20.20.2 255.255.255.240 

R2 (co nfig -if)#exit 

R2(config)#exit 

R2# 

Task 3: 

Rl(config)#ip route 0.0.0.0 0.0.0.0 serialO/O 

Rl(config)#exit 

Rl# 

Rl#ping 10.10.10.2 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: 

! 1111 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms 
Rl# 

Rl#ping 20.20.20.2 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds: 

! 1111 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms 

Task 4: 

D 1 (rr\ nfin^iflrknin hlnrl/.fnr AH aH-omnfc "5 ia# if-Hi n "5 H 






Rl(config)#ip access-list extended R2-LPBK-20-TELNET 
Rl(config-ext-nacl)#permit tcp 20.20.20.0 0.0.0.15 any eq telnet 

Rl(config-ext-nacl)#exit 

Rl(config)#login quiet-mode access-class R2-LPBK-20-TELNET 
Rl(config)#login on-success log every 1 
Rl(config)#login on-failure log every 1 

Rl(config)#exit 

Rl# 

Task 5: 

Rl(config)#username ccna privilege 15 secret security 

Rl(config)#line vty 0 4 

Rl(config-line)#login local 

Rl(config-line)#exit 

Rl(config)#exit 

Rl# 

Task 6: 

R2#telnet 10.1.1.1 

Trying 10.1.1.1 ... Open 


User Access Verification 

Username: ccna 
Password: 

% Login invalid 

Username: ccna 
Password: 

% Login invalid 

[Connection to 10.1.1.1 closed by foreign host] 


R2#telnet 10.1.1.1 

Trying 10.1.1.1 ... 



% Connection refused by remote host 

The following message should be visible on R1 when this happens: 

Rl#show log 

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 
0 flushes, 0 overruns, xml disabled, filtering disabled) 

No Active Message Discriminator. 


No Inactive Message Discriminator. 


Console logging: disabled 

Monitor logging: level debugging, 0 messages logged, xml disabled, 
filtering disabled 

Buffer logging: level debugging, 5 messages logged, xml disabled, 
filtering disabled 

Logging Exception size (4096 bytes) 

Count and timestamp logging messages: disabled 
Persistent logging: disabled 

Trap logging: level informational, 32 message lines logged 

Log Buffer (4096 bytes): 


*Mar 1 00:20:02.078: %SYS-5-CONFIG_I: Configured from console by ccna on vtyO (10.1.1.2) 

*Mar 1 00:20:10.300: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] 
[localport: 23] [Reason: Login Authentication Failed - BadPassword] at 00:20:10 UTC Fri Mar 1 2002 

*Mar 1 00:20:14.422: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] 
[localport: 23] [Reason: Login Authentication Failed - BadPassword] at 00:20:14 UTC Fri Mar 1 2002 

*Mar 1 00:20:14.422: %SEC_LOGIN-l-QUIET_MODE_ON: Still timeleft for watching failures is 6 
secs, [user: ccna] [Source: 10.1.1.2] [localport: 23] [Reason: Login Authentication Failed - 
BadPassword] [ACL: R2-LPBK-20-TELNET] at 00:20:14 UTC Fri Mar 1 2002 

*Mar 1 00:20:54.424: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period 
timed out at 00:20:54 UTC Fri Mar 1 2002 

To validate the second requirement of the Task, Telnet to R1 during the quiet period and the connection 
from ONLY the Loopback20 subnet of R2 should be permitted. 




I\^#LCIMCI 1U.1.1.1 

Trying 10.1.1.1 ... 

% Connection refused by remote host 


R2#telnet 10.1.1.1 /source loopback 10 

Trying 10.1.1.1 ... 

% Connection refused by remote host 

R2#telnet 10.1.1.1 /source loopback 20 
Trying 10.1.1.1 ... Open 


User Access Verification 

Username: ccna 
Password: 

Rl# 

Because all login attempts are being logged, you should see quite a few logs. Make sure that you have 
enabled logging by using the logging buffered command on Rl. 

Rl#show log 

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 

0 flushes, 0 overruns, xml disabled, filtering disabled) 

No Active Message Discriminator. 


No Inactive Message Discriminator. 


Console logging: disabled 

Monitor logging: level debugging, 0 messages logged, xml disabled, 
filtering disabled 

Buffer logging: level debugging, 14 messages logged, xml disabled, 


filtering disabled 



Logging Exception size (4096 bytes) 

Count and timestamp logging messages: disabled 
Persistent logging: disabled 

Trap logging: level informational, 41 message lines logged 


Log Buffer (4096 bytes): 


*Mar 1 00:20:02.078: %SYS-5-CONFIG_I: Configured from console by ccna on vtyO (10.1.1.2) 

*Mar 1 00:20:10.300: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] 
[iocalport: 23] [Reason: Login Authentication Failed - BadPassword] at 00:20:10 UTC Fri Mar 1 2002 

*Mar 1 00:20:14.422: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] 
[Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] at 00:20:14 UTC Fri Mar 1 2002 

*Mar 1 00:20:14.422: %SEC_LOGIN-l-QUIET_MODE_ON: Still timeleft for watching failures is 6 secs, 
[user: ccna] [Source: 10.1.1.2] [Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] 
[ACL: R2-LPBK-20-TELNET] at 00:20:14 UTC Fri Mar 1 2002 

*Mar 1 00:20:54.424: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period 
timed out at 00:20:54 UTC Fri Mar 1 2002 

*Mar 1 00:23:49.663: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccns] [Source: 10.1.1.2] 
[Iocalport: 23] [Reason: Login Authentication Failed - BadUser] at 00:23:49 UTC Fri Mar 1 2002 

*Mar 1 00:23:54.062: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 10.1.1.2] 
[Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] at 00:23:54 UTC Fri Mar 1 2002 

*Mar 1 00:23:54.062: %SEC_LOGIN-l-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, 
[user: ccna] [Source: 10.1.1.2] [Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] 
[ACL: R2-LPBK-20-TELNET] at 00:23:54 UTC Fri Mar 1 2002 

*Mar 1 00:24:10.409: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 20.20.20.2] 
[Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] at 00:24:10 UTC Fri Mar 1 2002 

*Mar 1 00:24:10.409: %SEC_LOGIN-l-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, 
[user: ccna] [Source: 20.20.20.2] [Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] 
[ACL: R2-LPBK-20-TELNET] at 00:24:10 UTC Fri Mar 1 2002 

*Mar 1 00:24:21.411: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ccna] [Source: 20.20.20.2] 
[Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] at 00:24:21 UTC Fri Mar 1 2002 

*Mar 1 00:24:21.411: %SEC_LOGIN-l-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, 
[user: ccna] [Source: 20.20.20.2] [Iocalport: 23] [Reason: Login Authentication Failed - BadPassword] 
[ACL: R2-LPBK-20-TELNET] at 00:24:21 UTC Fri Mar 1 2002 

*Mar 1 00:24:41.897: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ccna] [Source: 
20.20.20.2] [Iocalport: 23] at 00:24:41 UTC Fri Mar 1 2002 

*Mar 1 00:25:01.413: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period 
timed out at 00:25:01 UTC Fri Mar 1 2002 


Lab 2 Configurations 
R1 Configuration 

Rl#show run 
Building configuration... 



Current configuration : 1077 bytes 


version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R1 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

logging buffered 4096 
no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 


login block-for40 attempts 2 within 20 
login quiet-mode access-class R2-LPBK-20-TELNET 
login on-failure log 
login on-success log 


multilink bundle-name authenticated 



username ccna privilege 15 secret 5 $l$LlaJ$13RVZPIzHelKOhx6nYq9sl 
archive 
log config 
hidekeys 

! 

! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
ip address 172.16.1.1 255.255.255.0 
duplex auto 
speed auto 
! 

interface Serial0/0 

ip address 10.1.1.1 255.255.255.252 
! 

ip forward-protocoI nd 
ip route 0.0.0.0 0.0.0.0 Serial0/0 
! 

! 

ip http server 
no ip http secure-server 
! 

ip access-list extended R2-LPBK-20-TELNET 
permit tcp 20.20.20.0 0.0.0.15 any eq telnet 
! 

! 

! 

! 

i 


control-plane 



line con 0 


line aux 0 
line vty 0 4 
password cisco 
login local 
! 

! 

end 

R2 Configuration 

R2#show run 
Building configuration... 

Current configuration : 919 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R2 
! 

boot-start-ma rker 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 



! 

no ip domain lookup 
! 

multilink bundle-name authenticated 
! 

! 

! 

! 

! 

archive 
log config 
hidekeys 

! 

! 

! 

! 

! 

! 

! 

interface LoopbacklO 
ip address 10.10.10.2 255.255.255.192 
! 

interface Loopback20 
ip address 20.20.20.2 255.255.255.240 
! 

interface FastEthernet0/0 
ip address 172.16.1.2 255.255.255.0 
duplex auto 
speed auto 
! 

interface Serial0/0 

ip address 10.1.1.2 255.255.255.252 
clock rate 512000 

i 


ip forward-protocoI nd 



! 

! 

ip http server 
ip http authentication local 
no ip http secure-server 
! 

! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
password cisco 
login 
! 

! 

end 
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